SSHGuard monitors servers from their logging activity. When logs convey that someone is doing a Bad Thing, sshguard reacts by blocking he/she/it for a bit. Sshguard has a touchy personality: when a naughty tyke insists disturbing your host, it reacts firmer and firmer.
Now the nice thing about SSHGuard is that, despite its name, it protects quite a different services, and I now use it for SSH, Dovecot, and vsftpd. Unfortunately, the documentation makes it seem that these will be set up automatically, but that is only the case for SSH.
With the Log Sucker, SSHGuard fetches log entries proactively, and handles transparently events like rotated log files and files disappearing and reappearing. The Log Sucker has been written to zero the configuration burden on the logging system side, and to allow SSHGuard to poll many log sources at once.
The “Log Sucker” is simply a command line option,
-l <some log file>, that will automatically parse the log and start blocking the bad guys. After installing SSHGuard, you can see exactly how it is running via
ps -ef | grep sshguard. On my system this revealed the following:
/usr/sbin/sshguard -i /var/run/sshguard.pid -l /var/log/auth.log -w /etc/sshguard/whitelist -a 40 -p 420 -s 1200
Note that only one log file,
/var/log/auth.log, is being “sucked”, even though I have other supported services installed, so I figured that I would need to configure SSHGuard to monitor the others as well. The first thing I did was refer to the documentation via
man sshguard, which states clearly that
sshguard does not make use of any configuration file. That is not very informative; where is SSHGuard receiving these arguments?
The package I installed (from the APT repositories) also set up a service for SSHGuard, so next I inspected
/etc/init.d/sshguard, which showed me that for each filename in the environment variable
$LOGFILES, if the file existed, the name was appened via the log sucker to the
sshguard instance spawned by the service. It also revealed that this variable was read from
/etc/default/sshguard (seems obvious now, eh?). Thankfully, from this point, configuring SSHGuard is as simple as editting this file so that the
$LOGFILES variable looks something like this:
LOGFILES="/var/log/auth.log /var/log/vsftpd.log /var/log/mail.log"
It had the first log file (
auth.log, used for SSH and others), and I added vsftpd’s and Dovecot’s log files (
mail.log respectively). Individual services’ documentation should point out the necessary log files.
At some point I will likely create a Puppet module that can do this all for us, but until then, at least we can do it manually (and it is easy).
P.S. I am not certain that Dovecot requires
mail.log, as its PAM authentication shows up
vsftpd.log did need configuration.